Bug 1482433
Summary: | There is an assertion abort in function dict_rename_var() of libpspp. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | owl337 <v.owl337> | ||||
Component: | pspp | Assignee: | Peter Lemenkov <lemenkov> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | amello, lemenkov | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | pspp-1.0.1-2.fc26 pspp-1.0.1-2.fc27 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-10-25 23:09:38 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
pspp-1.0.1-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e pspp-1.0.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8 pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f5447d2c8 pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b221468e6e pspp-1.0.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. pspp-1.0.1-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1314605 [details] Triggered by "./pspp-convert POC5 -O csv /dev/null" Description of problem: There is an assertion abort in function dict_rename_var() of libpspp. Version-Release number of selected component (if applicable): <= latest version How reproducible: ./pspp-convert POC5 -O csv /dev/null Steps to Reproduce: Normal output: $./pspp-convert POC5 -O csv /dev/null id:000018,sig:06,src:001331,op:arith8,pos:678,val:-1': This system file does not indicate its own character encoding. Using default encoding UTF-8. For best results, specify an encoding explicitly. Use SYSFILE INFO with ENCODING="DETECT" to analyze the possible encodings. `id:000018,sig:06,src:001331,op:arith8,pos:678,val:-1' near offset 0xd4: Renaming variable with duplicate name `VAR00003' to `VAR001'. `id:000018,sig:06,src:001331,op:arith8,pos:678,val:-1' near offset 0xf4: Renaming variable with duplicate name `VAR00003' to `VAR002'. pspp-convert: src/data/dictionary.c:768: void dict_rename_var(struct dictionary *, struct variable *, const char *): Assertion `!utf8_strcasecmp (var_get_name (v), new_name) || dict_lookup_var (d, new_name) == ((void*)0)' failed. Aborted The GDB debugging information is as follows: (gdb) r ... Breakpoint 3, dict_rename_var (d=0x611000009a00, v=0x610000007240, new_name=0x60d00000cc79 "VAR00001") at src/data/dictionary.c:767 767 assert (!utf8_strcasecmp (var_get_name (v), new_name) (gdb) c 3 Will ignore next 2 crossings of breakpoint 3. Continuing. Breakpoint 3, dict_rename_var (d=0x611000009a00, v=0x610000007e40, new_name=0x60d00000ccaf "VAR00003") at src/data/dictionary.c:767 767 assert (!utf8_strcasecmp (var_get_name (v), new_name) (gdb) n pspp-convert: src/data/dictionary.c:768: void dict_rename_var(struct dictionary *, struct variable *, const char *): Assertion `!utf8_strcasecmp (var_get_name (v), new_name) || dict_lookup_var (d, new_name) == ((void*)0)' failed. Program received signal SIGABRT, Aborted. 0x00007ffff62331c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff62331c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 #1 0x00007ffff6234e2a in __GI_abort () at abort.c:89 #2 0x00007ffff622c0bd in __assert_fail_base (fmt=0x7ffff638df78 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7ffff7ae4aa0 <.str16> "!utf8_strcasecmp (var_get_name (v), new_name) || dict_lookup_var (d, new_name) == ((void*)0)", file=file@entry=0x7ffff7ae4100 <.str2> "src/data/dictionary.c", line=line@entry=768, function=function@entry=0x7ffff7ae4b20 <__PRETTY_FUNCTION__.dict_rename_var> "void dict_rename_var(struct dictionary *, struct variable *, const char *)") at assert.c:92 #3 0x00007ffff622c172 in __GI___assert_fail ( assertion=0x7ffff7ae4aa0 <.str16> "!utf8_strcasecmp (var_get_name (v), new_name) || dict_lookup_var (d, new_name) == ((void*)0)", file=0x7ffff7ae4100 <.str2> "src/data/dictionary.c", line=768, function=0x7ffff7ae4b20 <__PRETTY_FUNCTION__.dict_rename_var> "void dict_rename_var(struct dictionary *, struct variable *, const char *)") at assert.c:101 #4 0x00007ffff78a2c3d in dict_rename_var (d=<optimized out>, v=<optimized out>, new_name=<optimized out>) at src/data/dictionary.c:767 #5 0x00007ffff792539f in rename_var_and_save_short_names (dict=0x611000009a00, var=0x610000007e40, new_name=0x60d00000ccaf "VAR00003") at src/data/sys-file-reader.c:2018 #6 0x00007ffff7919da7 in parse_long_var_name_map (record=<optimized out>, dict=<optimized out>, r=<optimized out>) at src/data/sys-file-reader.c:2086 #7 sfm_decode (r_=<optimized out>, encoding=<optimized out>, dictp=0x7fffffffe380, infop=0x0) at src/data/sys-file-reader.c:843 #8 0x00007ffff78480c1 in any_reader_decode (any_reader=0x61800000f880, encoding=0x0, dictp=0x7fffffffe380, info=0x0) at src/data/any-reader.c:147 #9 any_reader_open_and_decode (handle=<optimized out>, encoding=0x0, dictp=0x7fffffffe380, info=0x0) at src/data/any-reader.c:171 #10 0x00000000004dcc97 in main (argc=<optimized out>, argv=<optimized out>) at utilities/pspp-convert.c:174 (gdb) c Continuing. Program terminated with signal SIGABRT, Aborted. The program no longer exists. The vulnerability was triggered in function: dict_rename_var (d=0x611000009a00, v=0x610000007240, new_name=0x60d00000cc79 "VAR00001") at src/data/dictionary.c:767 767 assert (!utf8_strcasecmp (var_get_name (v), new_name) Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.